Many Dutch municipalities do not yet respond adequately to security vulnerabilities, research finds
Many local authorities respond too slowly or inadequately to reports about security vulnerabilities. These coordinated vulnerability disclosures (CVD reports) are often made by ethical hackers who aim to make the internet safer. While this process has improved in recent years, the study by the University of Twente and the Dutch Institute for Vulnerability Disclosure (DIVD) indicates that there is still much room for improvement for local authorities.
Out of 114 Dutch municipalities, it was tracked whether the issue was resolved in 89 of them. Among these 89 contacted municipalities, 44 did not respond within 90 days—the period specified by the University of Twente in its Coordinated Vulnerability Disclosure for research—regarding the security notification. In 49 of the responding municipalities, the problem was found to remain unresolved. In 10 municipalities, the security vulnerability was fixed, but this was not communicated back to the notifier.
However, there are reasons for optimism, as there were municipalities that proactively responded to the notifications. In 19 municipalities, the report was handled appropriately, and there was a response to the notification. The research was conducted by Koen van Hove, a Ph.D. candidate at the University of Twente, a software and research engineer at NLnet Labs, and a researcher at the volunteer organization Dutch Institute of Vulnerability Disclosure (DIVD). He initiated the research out of curiosity about the functioning of CVD procedures in Dutch municipalities.